Onboarding Microsoft API Scanning

Modified on Sat, 7 Sep at 4:11 PM

Microsoft API

Emails are scanned in parallel with the delivery of the email. The email first arrives in the end-user inbox, and only after scanning, is the email removed if it is found to be malicious. End users may therefore see malicious emails in their inboxes for a few seconds before the email is deleted. Doesn't require a TXT record. Includes a simple onboarding process. For details, see "Onboarding Microsoft 365 [API]" on page 166

Flow chart diagram 

 

Note: 

  • The Microsoft 365 integrations monitor incoming emails only - not outgoing emails. 

[Outbound monitoring can be added to inbound Microsoft 365 [Inline and API] integrations - see "Onboarding Microsoft 365 - Outbound" on page 217]

  • By default, internal email is not monitored. To add monitoring for internal email, contact Perception Point Support [support@perception-point.io]. There may be additional licensing requirements for adding internal scanning.
  • For information about switching between Inline integration and API integration, see "Switching integrations" on page 842.


Perception Point X-Ray scans email messages up to a maximum of 40 MB [including attachments]. Larger email messages are not scanned by Perception Point X-Ray, and will be delivered to the specified recipients.

Note: 

  • Due to external technical limitations, the 40 MB limitation can't be increased.
  • We recommend that you limit receiving email attachments up to 30 MB in size. Files that are larger than 30 MB should be shared using a different file sharing service, such as Microsoft OneDrive or Google Drive.


Comparing the Inline and API connection methods

The table below should help you to choose the better connection method for your scenario - Inline or API...

 

 

Inline

API scanning

 

Operates in prevention mode

Operates in detection and response mode

 

More complex connection procedure - typically requires about 10 minutes to complete

Simple and quick connection procedure - typically requires about 2 minutes to complete

 

Requires adding a TXT record to the DNS

A TXT record is not required

 

Scans and blocks malicious emails pre-delivery

Scans emails in parallel with the delivery of the emails

 

Adds an extra hop to the email

Scans in parallel and therefore doesn't add a hop

 

End users won’t see any emails with malicious scan verdicts in their inboxes

End users may see malicious emails in their Inboxes for a few seconds before the scan is completed and the email is deleted

 

Supports hybrid environments

Supports only Microsoft 365 environments

 

Allows remediation

Allows remediation

 

Supports scanning of inbound, internal, and outbound email

Supports scanning of inbound and outbound email



 Onboarding Microsoft 365 [API]

 

About onboarding Microsoft 365 using the Microsoft API

You can connect your Microsoft 365-based email services to Perception Point's Advanced Email Security – using the Microsoft Graph API. This is called the Microsoft API connection method.

 

Note: With the Microsoft 365 API method of integration, Perception Point X-Ray scans email messages up to a maximum of 500 MB [including attachments]. 


By default, the Microsoft 365 integrations monitor incoming emails only - not outgoing emails. 

  • By default, internal email is not monitored. To add monitoring for internal email, contact Perception Point Support 
  • [support@perception-point.io]. There may be additional licensing requirements for enabling internal scanning.



Note: 

  • After onboarding a Microsoft 365 - API integration, you can't change the set of assets that are protected by Perception Point X-Ray. Changing the set of assets includes:
    • deleting any of the specified domains, groups, or users
    • specifying additional domains, groups, or users

Suggested workaround: To change the set of assets that are protected, first off-board the API integration, and then on-board it again, with the required protection configuration.

  • You can specify a maximum of 300 assets [domains, groups, and users] to protect.


A bit more about the Microsoft 365 API integration

Onboarding process

  • API scanning initiates by creating a Webhook for each user within the Microsoft 365 environment.

Protection mechanism

  • When a user is protected by Perception Point X-Ray Microsoft 365 API integration, the scan activates upon the arrival of an inbound email.
  • Microsoft 365 triggers notifications to the scanning system about new emails in a user's Inbox.
  • The system retrieves the email's metadata and EML file copy for analysis.

Scan and response

  • Clean: If an email is assigned a clean verdict, the email proceeds to the user's Inbox without intervention.
  • Spam: By default, spam emails are moved to the junk folder via Microsoft Graph API's REST API calls.
  • Malicious: By default, malicious emails are moved to a hidden folder inside the user's mailbox. The hidden folder is created upon encountering the first malicious threat for that user. 

When an email is moved to the quarantine folder, the subject of the quarantined email is changed to "Quarantined Email" and the content [body] of the quarantined email is changed to "This Email has been quarantined." If the quarantined email is subsequently found to be clean or spam [junk], the original subject and contents are returned to the email when it is released.

How to onboard Microsoft 365 using the Microsoft API

This onboarding procedure for a Microsoft 365 API integration includes:

  • Specifying the connection method.
  • Enabling the Perception Point app - that enables the required access to your Microsoft 365 account.
  • Specifying who to protect [the plan].
  • Initiating the connection process.

To onboard Microsoft 365 using the Microsoft API:

  1. On the right of the Perception Point X-Ray banner, click the Add Services [] icon.

 

  1. Click Add A New Email Service - if this option appears. 
  2. Select the Organization - if necessary.
  3. Specify the Escalation contacts. For details, see "Escalation contacts" on page 100.
  4. In Email Service, select Microsoft 365.
  5. In Connection Method, select Microsoft API.
    1. Inbound will be automatically selected. This configures Perception Point X-Ray to scan emails that are received from outside the organization.
    2. Outbound: [Optional] This configures Perception Point X-Ray to scan emails that are sent from inside the organization. This option appears only if outbound scanning is enabled. 
  6. Click ENABLE M365 APP - in the bottom right corner. [This is the remediation app.]

 

Important: If the ENABLE M365 APP button is not enabled, make sure that you have specified an escalation contact above.

 

  1. A pop-up window will open - allowing you to sign-in to your Microsoft account.

 

Note: If the pop-up does not appear, make sure that pop-ups are not blocked on your computer.

 

  1. Sign-in to your Microsoft account as a global admin. 

You'll see a list of the permissions that are required by the Perception Point app.

 

  1. Click Accept.

The next step in the onboarding wizard appears.

  1. Click Next. A summary of your selected configurations will be displayed.

  1. Review the configurations, and then click Done. This will begin the connection process to protect the users that you specified above. This connection process may take a while to complete.


 

Connection start time:

The time that the connection process was started.

Completion time:

The time that the connection process was completed.

Total no. of users in plan:

The number of users included in the plan. This is the maximum number of users that will be protected when the connection process is complete. This excludes invalid users in the plan.

Protected users:

The number of users that are already protected by Perception Point X-Ray.

Non-supported users (on-prem):

The number of Microsoft Exchange users that are included in the plan that you specified. These users will not be protected by Perception Point X-Ray. You can export a .csv file that contains a list of these users.

This value is applicable in "Microsoft 365 - Exchange" hybrid environments.

Currently non-operative users:

The number of users that are included in the plan that you specified, but for whom Perception Point X-Ray was not able to add protection during the connection process. You can export a .csv file that contains a list of these users.

 

This information will be displayed for 30 days after the connection process is completed.

When the In Progress indicator changes to Completed, the users included in the plan will be protected.


 

Monitoring Mode

Important [for integrations in monitoring mode only]

Note: In monitoring mode [also known as passive mode], Perception Point X-Ray will not quarantine any malicious emails or route spam to junk boxes.

To complete the API integration in monitoring mode, perform these steps:

  1. Open the Account > Channels page.
  2. On the right, click Default Channel Settings.
  3. Click Edit [].
  4. Under Detection, clear the Malicious, Restricted, and Spam check boxes.

Note: Perception Point X-Ray will not quarantine any malicious emails or route spam to junk boxes.

  1. Click Save.
  2. Contact Perception Point Support [support@perception-point.io] - and inform them that you have onboarded a Microsoft 365 API integration. Perception Point Support will complete the configuration.

 


Configuring spam remediation

Configuring a Microsoft 365 API integration includes specifying what happens to emails that are assigned a spam verdict [if spam emails are not configured to be quarantined]. The options are:

  • Inbox: The email is sent to the user's Inbox. This setting is typically used for PoC installations - not for production installations.
  • Junk: The email is sent to the user's Junk folder. This setting is typically used in production installations - not in PoC installations.

With the Microsoft 365 API integration, Perception Point X-Ray may move an email from the Inbox to the Junk folder after the email has initially arrived in the Inbox. The procedure is therefore referred to as "spam remediation".

When a Microsoft 365 API inbound integration is initially configured, the spam remediation is set to Junk.

Note: The "spam remediation" functionality will apply only if:

  •  You don't have any contradicting rules in your Microsoft email account. For details, contact Perception Point Support [support@perception-point.io].
  • Spam emails are not configured to be quarantined. For details, see "Which verdicts cause quarantine" on page 722.


The spam remediation controls appear only if a Microsoft 365 API inbound integration is configured.

To change the spam remediation location:

  1. Open the Account > Channels page.
  2. Under Enabled Channels, on the right of Email Service > Microsoft 365, click Channel Settings. The "Email Service Settings" sidebar opens.
  3. Click Edit [].
  4. Under Microsoft Account Options > "Move spam emails that are not quarantined to", select Junk or Inbox.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article